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By IVIIKE ROTHIVIAN 
Network World, 05/17/99 

As the world increasingly turns to electronic 
business, electronic credentials that prove 
identity are becoming a critical necessity. Much 
like a passport proves identity in the offline 
world, public-key infrastructure (PKI) delivers a 
way to prove identity in the online world. 



PKI is fast becoming the cornerstone of information security 
technology for a large number of companies. 

PKI ensures that people are who they say they are and also 
proves that documents haven't been tampered with, which is 
critical when conducting online transactions, such as placing 
orders or transferring money. Here's a simplified look at these 
state-of-the-art passports to the online world. 

The magic of PKI occurs through the use of extremely long 
prime numbers, called keys. Two keys are involved - a private 
key, which only you have access to, and a public key, which can 
be accessed by anyone. The two keys work together, so a 
message scrambled with the private key can only be 
unscrambled with the public key and vice versa. The more digits 
in these keys, the more secure the process. 

Just as you prove your identity through a handwritten signature 
offline, you use a digital signature to prove your identity online. 
But without seeing a person sign the document, how can you 
prove it's the right person? 

This is where public-key cryptography comes in, A large piece of 
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data set to be encoded - for instance, a document - is run 
through a complicated mathematical computation to generate a 
single large number, called a hash. The original data and the 
hash are inextricably linked. If either changes, the hash won't 
match and the message cannot be decoded. 

To digitally sign a document, a hash is taken of the document 
and then signed with a user's (let's call him Bob) private key. 
Data scrambled with Bob's private key can only be unscrambled 
with Bob's public key. Any entity can verify the validity of the 
document by unscrambling the hash with Bob's public key and 
checking that against another hash computed from the received 
data. 

If the hashes match, the data was not tampered with and Bob's 
digital signature is on It. But because I didn't watch Bob sign 
the document, I don't know that it wasn't signed by an 
imposter. This issue is solved because only Bob has his private 
key, and so he is the only one who could have signed the 
document. 

How do I know I have the correct key to verify the signature? 
This is where the concept of trust enters the system, creating 
the need for a certificate authority to verify online identity. 

The certificate authority is like an online passport bureau - a 
trusted entity that makes the PKI system work. The private key 
is securely generated by Bob, and after verifying Bob's identity, 
the certificate authority signs Bob's public key with Its own 
private root key. The combination of Bob's public key and the 
signature of the certificate authority completes Bob's digital 
certificate. Bob's digital certificate is his online passport, 
validated by the certificate authority's watermark. 

Let's look at how all this works together in a simple transaction. 
Bob wants to send Alice a confidential e-mail. Bob would use 
Alice's public key, stored in her certificate, to scramble the 
message. When Alice receives the message, she uses her 
private key to unscramble it. Because no one else possess 
Alice's private key, only she can unscramble the message. 

The process is similar in complex transactions. Let's say Bob 
wants to let Alice order products from his Web site. When Alice 
is ready to buy. Bob requests that she prove her identity. Alice 
signs the order with her private key, which was issued by a 
certificate authority we'll call TrustCo. She then sends the 
package consisting of the order and the digital signature to Bob. 
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Bob needs to get Alice's and TrustCo's digital certificate to 
verify the signature. He validates Alice's certificate by verifying 
TrustCo's signature (remember TrustCo signs Alice's public key, 
thus forming the certificate), and then uses Alice's certificate to 
validate the signature on the order. If all those tests pass, Alice 
is actually Alice. 

Like any security technology, digital signatures used in the PKI 
model aren't perfect. If the certificate authority's root key is 
stolen, then anyone can create digital certificates, which 
compromises the trust level of the certificate authority and 
makes all the certificates from that certificate authority null and 
void. Certificate authorities go to great lengths to keep their 
keys secure, including armored bunkers. Additionally, if Bob 
loses his private key, or if it's stolen, then anyone possessing 
the private key can pose as Bob. 

More importantly, thousands of applications used throughout 
businesses need to be PKI-ready. Applications need to know 
how to ask Bob to sign data and how to validate the data using 
certificates. For PKI to become a widely used technology, it 
must become a transparent part of everyday software, so end 
users don't need to understand all the complexity behind keys, 
hashes and digital certificates. 

Rothman is executive vice president of SHYM Technology, a 
software company that makes PKI wares. He can be reached at 
mrothman@shym.com or www.sh ym.com . 
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